Topics:
Analytics : Security
EV Certificates Enhance The Bottom Line, Not Trust
I understand what EV certificates are supposed to impart, that the Web site represents a legitimate business. When generating non-EV SSL certificates, Certificate Authorities (CA) like VeriSign will, generally speaking, check that the person making the request for a server certificate is the rightful owner of the domain name, and is authorized to make the request. You can read the details in section 3.2 of VeriSign’s Certification Practice Statement. Basically, if I wanted to request a SSL certificate for the Web site www.example.com, I would have to prove that I am the rightful owner of the domain and identify myself. Extended Validation certificates, on the other hand, are supposed to communicate that the Web sites using them are somehow more trustworthy than Web sites that aren't using them. The idea being that prior to an EV CA issuing a certificate to a company, the issuing EV CA validates the company is a legal entity by checking its incorporation with the claimed state authority. The issuing EV CA also validates that other information supplied, like the company name, addresses, etc., are accurate. EV certificates also require the use of revocation validation. That's all great stuff. Revocation validation should have been required years ago. The Diabolical Dichotomy From VeriSign's CPS, appendix B2b, (I did some grammar and format edits) we have: ... by providing more reliable third-party verified identity and address information regarding the owner of a website, EV Certificates may help to:
And in appendix B2c, we have:
So which is it? Based solely on the presentation of an EV certificate, can I trust the business associated with an EV certificate or not? The answer is NOT. The exclusions in the CPS make perfect sense because an EV CA is only validating that a company is, in fact, a legal entity. Period. Any trust or value ends there. How hard is it to set up a legal company? Not hard. A limited liability corporation (LLC) can probably be set up for less than $1,000. Knowledge Transfer The real question is what the user infers when using a Web browser that is capable of detecting an EV certificate. Green is good. Red is bad. White is neither good nor bad. Those visual clues cause a reasonable person to infer something far different than what is being asserted. What is being asserted by an EV certificate is that the Web site has been validated as a legal entity. What a reasonable person infers is a Web site that turns the address bar green is good, trusted; a Web site that turns the bar red is bad, untrusted; and a Web site where the address bar doesn't change is neither good nor bad. Depending on your outlook, that Web site with a white address bar could be questionable. But wait. Wasn't the golden lock in Web browsers for the last 10 years telling us something similar? If you see a lock, your connection is safe and secure? Security professionals know that the lock means an SSL session is running, that the server has been authenticated, and that the data in motion is encrypted. Beyond that, we would have to examine the certificate contents to really see what the certificate signified. To people not versed in security and security protocols, locks are comforting. They see a lock and reasonable people think safety because that is the cultural icon we grew up with. If you ask users about the safety and security of the Internet, many non-tech-savvy people will tell you they are afraid of identity theft and scams. They see the stories in the news if not on a daily basis, then on a weekly or monthly basis. The lock is a lie. Now we have something new. A colored address bar -- who can miss that? The thing is, EV certificates tell us nothing useful. A Web site with an EV SSL certificate can still be run by scam artists. A Web site without an EV certificate can be run by honest and ethical people. The color of the address bar shouldn't denote trust. Green and red labels are overtly misleading. The Business Case VeriSign's outreach on the business case of EV certificates is clearly aimed to leveraging the cultural norms that green is good and red is bad. Therefore, if your Web site turns the address bar green, your Web site must be trustworthy, which means more potential customers will complete their sale. Thus, the investment in an EV certificate will pay off. Their claim that using an EV certificate results in a 30% climb in sales or a 48,000 percent ROI is separate from the meaning or trust implied by an EV certificate. In late 2007, I spoke with Terence Johnson, VP of technology for Scribendi. Scribendi offers services to writers and is a VeriSign customer using EV certificates. Johnson stated that after Scribendi purchased and deployed their EV certificate, within a few months they saw an uptick in sales completion. Johnson attributes the uptick to the EV certificate. He says that the company was working on a big project internally; the company hadn't made any changes to the site; nor had they engaged in any marketing or outreach. The only change was the addition of EV certificate. That may very well be the case. Johnson certainly knows his business far better than I do. Of course, I have to wonder why sales increased and if the increases are due to users trusting the Web site more because of the green bar or due to an understanding of the nature of EV certificates. In other words, would the results have been the same if the address bar turned green for any valid SSL certificate? There is far more to trusting a business than a green address bar. Word of mouth recommendations, professional dealings with customers, good, a clear presentation of the Web site and what your business does, contact numbers and addresses that are readily available -- these all lead people to trust your business.
The press release: Mountain View, Calif. -- July 28, 2008 -- Around the world, online businesses are reporting measurable -- and substantial -- bottom-line benefits resulting from their deployment of Extended Validation (EV) Secure Sockets Layer (SSL) Certificates from VeriSign, the trusted provider of Internet infrastructure services for the networked world. VeriSign EV SSL helps online businesses build trust with their customers by offering an effective safeguard against phishing scams that lure unsuspecting consumers to sites designed to appear almost identical to genuine Web pages. Identity thieves use these fraudulent pages to capture credit card numbers, passwords, and other valuable personal information. When visiting sites protected by an EV SSL Certificate, Internet users using compatible high-security browsers see a green address bar. The green address bar tells consumers they have reached a Web site whose authenticity has been verified according to certain rules. From North America to Europe and beyond, online merchants and service providers are among the more than 5,000 online businesses that protect their Web sites with VeriSign EV SSL Certificates (including VeriSign, GeoTrust, and thawte brand certificates). And in the process, they are watching their Web sites perform at unprecedented levels. Among the recent success stories: North America Paper-Check.Com LLC, a San Francisco-based company that offers online document editing and proofreading services, especially to academic users. Central Reservation Service (CRS) provides a free hotel reservation service that offers attractive rates and special deals on both independently owned and familiar brand hotels and resorts, with no prepayment and no booking, change, or cancellation fees. Results: Tests showed that customers who saw the green bar converted to purchase 30% more often than those who didn't see the green bar, far exceeding the company's expectations. View case study: www.verisign.com/crshotels Europe Dwell.co.uk markets a wide range of excellently priced contemporary furniture throughout the United Kingdom, with rapid delivery for in-stock items. Fitness Footwear, Ltd. is the largest independent footwear retailer in the U.K. and the No. 1 supplier of several name brands, with its Web site accounting for 95% of its sales. Scandinavian Design Online AB, part of the Design Online Group, is one of the leading Web sites selling home and garden, interior design, and décor to a worldwide audience across multiple Web sites. View case study: www.verisign.com/sdo Pacific Rim Results: After deploying VeriSign EV SSL Certificates, SISTIC recorded a 14% increase in sales. "The Internet is a fantastic tool, but customers are concerned about security on Web sites," said Richard Theobald, IT manager at dwell. "Our use of the VeriSign Secured Seal and EV certificates is one of our most important ways of instilling confidence in customers and assuring them that their information is secure when they do business with dwell." In addition to seeing bottom line results from EV SSL, VeriSign customers are also seeing uplift from the VeriSign Secured Seal. U.S.-based Proof-Reading.com LLC, a provider of high quality business document proofreading and editing services, recently reported a 36% increase in registrations after it switched to the VeriSign Secured Seal, citing VeriSign’s globally trusted brand as a major driver of the uplift. "When a company makes the effort to provide a trusted online experience, customers respond -- and so does the bottom line," said Tim Callan, VP of SSL product marketing at VeriSign. "From soaring revenues and conversion rates to meaningful reductions in abandoned shopping carts, these online merchants are realizing real-world benefits from their reliance on VeriSign EV SSL Certificates. As these results show, EV SSL protection is an investment that keeps paying dividends." When a Web site uses an EV SSL Certificate to identify itself, browsers including Internet Explorer 7 (IE7), Firefox 3, and Opera 9.5 display easily understood visual cues to provide tangible assurance of a site's authenticity. The browser adopts the "green glow," a highly visible green background on or adjacent to the browser's address bar. This green area contains the authenticated name of the organization that owns this site and can also indicate the name of the security provider that issued the certificate, such as VeriSign. As the most respected and trusted SSL authority on the Web, VeriSign is the EV SSL Certificate provider of choice for more than 5,000 Internet domains, representing greater than 75% of the entire EV SSL Certificate market worldwide. In fact, over 95% of the Fortune 500 and the world's 40 largest banks secure their sites with SSL Certificates sold by VeriSign.** To learn more about VeriSign EV SSL, visit http://www.verisign.com/EV-SSL. ** Includes VeriSign's subsidiaries, affiliates, and resellers. « An Open Letter To Apple And AT&T: Why Did You Brick My First-Generation iPhone? | Main | Clouds Are Only In The Sky » |
| Sign Up Now For InformationWeek News Alerts |
This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.
Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.
Important Note: This comment area is NOT intended for commercial messages or solicitations of business.
